Sarcoma is a ransomware operation that was first identified in October 2024. The group operates in the double extortion method, where the group exfiltrates data and threatens to leak that data if the ransom is not paid as well as encrypting the network.
Sarcoma operates as a ransomware-as-a-service (RaaS) and purportedly offers a 70/30 split on payments for affiliates.
Sarcoma operates both a Windows and Linux variant. The Windows variant is written in C++. Sarcoma is reported to utilize a hybrid encryption model, combining ChaCha20 stream cipher with RSA-4096 asymmetric encryption. Other reports indicate the group has used AES-256 with RSA-2048. Both methods utilize CryptoPP library functions with multithreaded architecture for faster encryption.
Sarcoma specifically avoids targeting systems configured with the Uzbek keyboard layout, indicating that the core operators may be located in this region. This is a common tactic observed in ransomware operations to avoid legal repercussions in their local areas.
Sarcoma ransomware disables critical business systems by stopping services and processes related to Microsoft SQL Server and PostgreSQL using PowerShell and WMIC. Additionally, the variant deletes local backups using VssAdmin and wbadmin. The Linux variant uses VMware’s vim-cmd utility to enumerate and delete VM snapshots.
Sarcoma moves laterally through compromised networks by using a combination of passive network scanning, ICMP pings, and more. It uses CopyFileA and SMB shares to copy the ransomware payload across the network.
Once the ransomware encrypts the network, it drops ransom notes in each folder and subfolder that were encrypted. The ransom note is extracted from an embedded PDF.
Sarcoma has been reported to focus on larger organizations, specifically those with annual revenues between $1 million and $50 million. The group likely focuses on this revenue because these organizations are more likely to be considered profitable enough to pay a ransom demand but small enough to lack robust security measures.
While Sarcoma was first discovered in 2024, the tactics of the group indicate that the operators are technically sophisticated and have likely operated within other operations or under a different brand prior to the creation of the Sarcoma variant.
Security researchers have theorized that Sarcoma operators may be linked to the former Maze and Egregor Ransomware operators. This assessment is based on architectural choices including multithreaded encryption, strategic directory avoidance, and the group’s data leak site mirroring those of Maze and Egregor.
Sarcoma has proven to be a capable and persistent ransomware operation and will likely continue to target organizations over the next 6-12 months for financial gain.
